CVE-2026-7466
Published: 29 April 2026
Summary
CVE-2026-7466 is a high-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of the user-controlled pipeline_path parameter at the affected API endpoints to block loading and execution of arbitrary local Python pipeline files.
Requires timely flaw remediation, including applying vendor patches for this arbitrary code execution vulnerability to eliminate the root cause.
Enforces logical access controls to restrict the API from accessing and executing unauthorized local Python files specified via the pipeline_path parameter.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary Python code execution via user-controlled pipeline_path in network-accessible API endpoints, directly mapping to T1190 (exploiting the application) and T1059.006 (Python interpreter for pipeline execution).
NVD Description
AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to…
more
load and execute existing Python pipeline files on disk, resulting in code execution in the context of the user running AgentFlow.
Deeper analysisAI
CVE-2026-7466 is an arbitrary code execution vulnerability (CWE-94) in AgentFlow, published on 2026-04-29. The issue resides in the local AgentFlow API, where the user-controlled pipeline_path parameter in the POST /api/runs and POST /api/runs/validate endpoints allows attackers to specify and load existing Python pipeline files from disk for execution. This results in code running in the context of the user operating AgentFlow, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation requires an attacker to induce a victim user to send a POST request to the affected endpoints with a crafted pipeline_path value pointing to a malicious local Python pipeline file. The network-accessible nature and lack of privileges enable remote attackers, but user interaction is necessary, often via social engineering such as phishing links or malicious inputs. Successful attacks grant high-impact arbitrary code execution, compromising confidentiality, integrity, and availability in the user's context.
Patches and mitigation details are documented in GitHub pull request #18 (https://github.com/berabuddies/agentflow/pull/18) and its associated changes (https://github.com/berabuddies/agentflow/pull/18/changes/7e61b6ce846b3d700456e4874394dc868905a9f2), along with a VulnCheck advisory (https://www.vulncheck.com/advisories/agentflow-arbitrary-python-pipeline-execution-via-pipeline-path). Security practitioners should apply these updates to prevent execution of unauthorized pipeline files.
Details
- CWE(s)